The problem is the client has a set config and given that the current state or previous state was "on-demand" any change you make on the firewall side won't be made to the client until they connect.
The only way to get this update on the clients without them connecting in is to modify the client machine directly:
Here's the high level:
Here's some more specific config parameters:
Finally (from the above link) here's the link on how to make the change to the client you want:
where within the registry would i deploy these keys? for example if i wanted initial state to be prelogon always on:
connect-method on-demand | pre-logon | user-logon
The path to the registry setting is here.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
The key value is connect-method
The value data is either on-demand, pre-logon, or user-logon
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!